Shulou(Shulou.com)06/01 Report--

This article shares with you about how to understand Neutron FWaaS. Xiaobian thinks it is quite practical, so share it with you to learn. I hope you can gain something after reading this article. Let's not say much. Let's take a look at it together with Xiaobian.

Learn about another security-related service today- FWaaS.

understand concepts

Firewall as a Service (FWaaS) is a premium service of Neutron.

Users can use it to create and manage firewalls that filter layer 3 and layer 4 traffic on the subnet boundary.

Firewalls in traditional networks are usually placed on gateways to control access between subnets. FWaaS works on the same principle, applying firewall rules to Neutron virtual routers to control data coming in and out of tenant networks.

FWaaS has three key concepts: Firewall, Policy, and Rule.

Firewall

Tenants are able to create and manage logical firewall resources. Firewall must be associated with a Policy, so a Policy must be created first.

Firewall Policy

A Policy is a collection of Rules, and Firewall applies each Rule in the Policy in order.

Firewall Rule

Rule is an access control rule consisting of source and destination subnet IPs, source and destination ports, protocols, allow or deny actions.

For example, we can create a Rule that allows external networks to access instances in the tenant network via ssh, port 22.

A concept that is easily confused with FWaaS is Security Group.

The application object of security group is virtual network card, which is implemented by L2 Agent, such as neutron_openvswitch_agent and neutron_linuxbridge_agent.

The security group controls traffic to and from the instance virtual NIC via iptables rules on compute nodes.

In other words, security groups protect instances.

The application object of FWaaS is router, which can control the traffic coming from outside before the security group, but does not restrict the traffic within the same subnet.

In other words, FWaaS protects subnets.

Therefore, FWaaS and security groups can be deployed simultaneously for dual protection.

Enable FWaaS

Because FWaaS is implemented in router, FWaaS has no separate agent. The existing L3 agent is responsible for providing all FWaaS functionality.

To enable FWaaS, you must make some settings in Neutron's relevant configuration file.

Configure firewall driver

Neutron sets the driver used by FWaaS in the/etc/neutron/fwaas_driver.ini file. As shown below:

Here driver is iptables. If more drivers are supported in the future, they can be replaced here.

Configure Neutron

Enable FWaaS plugin in Neutron configuration file/etc/neutron/neutron. conf.

The above is how to understand Neutron FWaaS, Xiaobian believes that some knowledge points may be seen or used in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.